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Abstract 

The problem of Secret Key Establishment (SKE) over a pair of independent Discrete Memoryless 
Broadcast Channels (DMBCs) has already been studied in (3), where we provided lower and upper bounds 



Qh. on the secret-key capacity. In this paper, we study the above setup under each of the following two cases: 



(1) the DMBCs have secrecy potential, and (2) the DMBCs are stochastically degraded with independent 



< 

lO ' channels. In the former case, we propose a simple SKE protocol based on a novel technique, called 

Interactive Channel Coding (ICC), and prove that it achieves the lower bound. In the latter case, we give 
a simplified expression for the lower bound and prove a single-letter capacity formula under the condition 
that one of the legitimate parties can only send i.i.d. variables. 

' 

o. 

I. Introduction 

We consider the following problem of Secret Key Establishment (SKE): Alice and Bob want to share 
a secret key in the presence of an eavesdropping adversary, Eve. Information-theoretic solutions to this 
^ . problem assume that a collection of sources and/or channels are available to the parties. We refer this as 

o 



a setup. 

Wyner's pioneering work Q31 and its generalization by Csiszar and Korner |4[ considered transmission 
of secure messages over a Discrete Memoryless Broadcast Channel (DMBC) from Alice to Bob and 
Eve. They defined the secrecy capacity in this setup as the highest rate of secure and reliable message 
transmission (in bits per channel use) and showed that this capacity is positive if Bob's channel is less 
noisy @ than Eve's. The work in (H, lfl4l has also been proved for the case of Gaussian channels ifTOl . 
These results can also be used for SKE since any secure message transmission protocol can be used to 
send a secret-key securely over the DMBC. 

Extensions of the work in (H, lfl4l have investigated the improvement of SKE by considering new 
setups. Maurer ifm and independently Ahlswede and Csiszar HI studied SKE when there is a DMBC 
from Alice to Bob and Eve, and a public discussion channel between Alice and Bob that is reliable, 
insecure, and unlimitedly available in both directions. They also considered SKE when the DMBC above 
is replaced by a Discrete Memoryless Multiple Source (DMMS) between the parties. Csiszar and Narayan 
151 considered SKE in the latter setup with a slight difference that the public channel is one-way and 
limited in rate. Ahlswede and Cai JH studied SKE when Wyner's setup is accompanied by an additional 
secure (and reliable) output feedback channel that is used to feed back the information received from 
the forward channel. Noisy feedback over modulo-additive broadcast channels is another extension ll9l . 
|[T3l . Khisti et al. Q and independently Prabhakaran et al. lfl2l considered a setup where the parties have 
access to a DMMS and a DMBC from Alice to Bob and Eve. 



2 



In practice special types of channel, e.g., public discussion channel, must be realized from more basic 
resources such as a DMBC. In Q, we introduced a new setup for SKE, called 2DMBC, where the 
only resources available to Alice and Bob are two independent DMBCs in the two directions. This 
setup is appropriate to model wireless networks where two nodes can communicate interactively and 
their communication is eavesdropped by their wireless neighbors. The secret-key capacity in this setup is 
defined as the maximum rate of secure and reliable key establishment, in bits per channel use. Lower and 
upper bounds on the secret-key capacity in the 2DMBC setup have been provided and shown to coincide 
when the broadcast channels are physically degraded 0. 

A. Our work 

Motivated by applying the theoretical results to practical communication scenarios, in this paper, we 
extend the results of in the following directions. 

1) We consider the 2DMBC setup when both DMBCs have secrecy potential, by which, we mean that 
realizing a noiseless channel from any of the DMBCs is not optimal. In most of the channels of interest 
(in communication), this occurs when the DMBCs have non-zero secrecy capacities. We propose a two- 
round SKE protocol based on a novel technique, called Interactive Channel Coding (ICC) that achieves 
the lower bound in 0. This lower bound was proved before by a SKE protocol that, although being 
convenient for the proof, uses an elaborate two-level coding construction whose efficient design becomes 
a new challenge in practice. Instead, ICC is a simple extension of systematic channel coding to a two- 
round construction in which the messages are essentially a codeword from a systematic error correcting 
code, split into two parts: one received in the first round and one sent in the second round. Roughly 
speaking, the ICC protocol works as follows. Alice sends a random sequence Ra and Bob receives a 
noisy version of it, I a- He chooses an independent random sequence, Is, and appends it to I a- We refer 
to the concatenated sequence / = (Ia\\Ib) as the information sequence. Bob uses his systematic encoder 
to calculate a parity-check sequence P for the information sequence /, and sends (Ig||P) to Alice, where 
Alice receives (Rb\\Rp). She uses her systematic decoder to decode R = (Ra\\Rb\\Rp) to J = (Ia\\Ib) 
as an estimation of the information sequence. The rest is to generate a secure key from the information 
sequence. ICC is particularly important as it allows progress in systematic capacity achieving codes to be 
directly applied to SKE. 

2) We study the 2DMBC setup when the DMBCs are stochastically degraded with independent channels. 
We refer to this setup as sd-2DMBC. This study is motivated by observing that the results in for the 
secret-key capacity of (physically) degraded 2DMBCs do not necessarily hold for stochastically degraded 
2DMBCs. In setups like JH, 0, Q, |[T2l that do not offer interactive communication, physically and 
stochastically degraded broadcast channels are equivalent in terms of the secret-key capacity. This is not 
true, however, for the 2DMBC setup in which interactive communication is permitted. Two important 
classes of stochastically degraded channels with independent components are binary symmetric broadcast 
channels and Gaussian broadcast channels. We note that our results can be easily extended to continuous 
memoryless channels. 

2-a) We give a simplified expression for the lower bound on the secret-key capacity in the sd-2DMBC 
setup which uses fewer random variables and hence results in a simpler maximization problem. 
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2-b) We consider sd-2DMBC when one of the parties can only send only independently, identically 
distributed (i.i.d) variables. We prove a single-letter formula for the secret-key capacity that is 
achieved by a two-round protocol. 
An example of the scenario (2-b) is when a base station wants to establish keys with several users in 
different locations. The offline computation power of the base station is high but its realtime computation 
power is limited. So, the base station sends i.i.d. variables in realtime and stores the received variables 
from all other nodes in all communication rounds. Next, it calculates the common keys with each user 
from the stored information in the offline mode. Our study of the above scenario provides a solution to 
this problem. 

B. Notation 

We use calligraphic letters (U) to denote finite alphabets (sets), and the corresponding letters in 
uppercase (U) and lowercase (u) to denote random variables (RVs) and their realizations, respectively. 
The size of U is denoted by \U\. U n is set of all sequences of length n whose elements are in U; 
U n = (Ux, U2, ■ ■ ■ , U n ) is called an n-sequence, i.e., a sequence of n (possibly correlated) RVs in U, 
and XJ\ is used to denote a part of this sequence that is (Ui,Ui + i, . . . ,Uj). We use '||' to show the 
concatenation of sequences. For a value x, we use [x] + to show max{0, x}. For three random sequences 
Qi, Q2, and Q3, we use Qi <-> Q2 -B- Q3 to denote a Markov chain between them in this order. 



C. Paper organization 

Section Ull describes the 2DMBC setup, definitions, and existing SKE results in this setup. Section ITlTl 
summarizes the main results of this paper. Section JV] is dedicated to the proofs. We conclude the paper 
in Section [V] 



II. Model, Definitions, and Existing Results 
The 2DMBC setup is depicted in Fig. Q] There is a forward DMBC, X f 



(Yf, Zj) specified by 



PY,,z f \Xf from Alice to Bob (and Eve) and a backward DMBC, — > (Yf,, Z&) specified by PY b ,z b \x b > 
from Bob to Alice (and Eve). We assume that each party has free access to an independent source of 
randomness. 



Alice 



Forward DMBC 



Eve 



Backward DMBC 



Bob 



X, 



Fig. 1. The 2DMBC setup 



An SKE protocol in this setup may contain several communication rounds. In each round either Alice or 
Bob sends a sequence of random variables (RVs) which is computed using some independent randomness 
and the communicated (sent and/or received) sequences in the previous rounds. Finally each party will 
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have a set of communicated sequences, which form their view. Using their views, one of the legitimate 
parties computes a key S, and the other one computes an estimation of the key S. A secure SKE protocol 
and the secret-key capacity in the 2DMBC setup are defined as follows. 

Definition 1: Q An SKE protocol II in the 2DMBC setup is (R s k,S)-secure if it results in the key 
S and its estimation S such that 

> Rsk ~ (la) 

Uf + Tib 

Pr(S + S) < 5, (lb) 
H{S\View E ) 

H(S) > 1 " *' (1C) 
where ViewE is Eve's view at the end of the protocol, and rif and are the number of times that the 
forward and the backward channels are used, respectively. 

Definition 2: [3] The secret-key capacity in the 2DMBC setup, C 2 P M , is the largest R s k > such 
that, for any arbitrarily small 6 > 0, there exists an (R s k, S) -secure SKE protocol. 

We recall the lower and the upper bounds given in [31] on the secret-key capacity in the 2DMBC setup. 
Let the RVs Xf,Yf,Zf (resp. X b ,Y b ,Z b ) correspond to the conditional distribution Py s ,z s \x f (resp. 
Py b ,z h \x h )> specified by the 2DMBC. Let Vf, V b , Wij, W 2 j, W\ >b , W 2 , b be RVs from arbitrary sets where 
Vf, Vb, iW\,f,W 2 j), and (Wi : b,W 2: b) are independent and the following Markov chains are satisfied: 

V f o Y f o (X f , Zf), W 2f) o W 1>b ^X b ^ (Y b , Z b ), (2a) 
Vb^Yb^ (X b , Z b ), W 2J o W X j ^X f ^ (Y f , Zf). (2b) 

Also let 

R^=I(y r ,X f )-I(Vf,Z f ), (3a) 
= I(Wi,b', Y b \W 2 , b ) - I(W ltb ; Z b \W 2 , b ), (3b) 
R* 1 =I(V b ;X b )-I(V b ;Z f ), (3c) 
R?2 = I(Wij;Y f \W 2 , f ) - HW^ZflW^f). (3d) 
The secret-key capacity is lower bounded Q as 

C 2 S P MBC >m^{L A ,L B }, (4) 

where 

-n f Rf 1 + n b [Rf 2 ) 



La = max 



Lb = max 
and it is upper bounded Q as 



rif + n b 
UbR^+nflRg] 



-s. t. nfI{Vf-Y f \Xf) < n b I(W iy ,Yb) 
-s. t. n b I(V b ;Y b \X b ) < n f I(W ljf ;Y f ) 



(5) 
(6) 



rif + n b 

C 2 £ MBC < max {I(Xf,Yf\Zf),I(X b ;Yb\Zb)}. (7) 



Px f ,Px b 
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III. Statement of Main Results 
A. The interactive channel coding protocol 

The lower bound in (H} has been obtained by an SKE protocol [3] that uses a complicated two-level 
coding construction whose efficient design becomes a challenge in practice. We introduce the interactive 
channel coding (ICC) technique which is used to design the so-called ICC protocol for SKE. We show 
that when the DMBCs have secrecy potential, the ICC protocol can achieve the lower bound in (@]). ICC 
relies on the existence of capacity-achieving systematic channel codes. Designing efficient constructions 
for systematic channel codes has been well studied, e.g., a large body of work on the design of capacity 
achieving channel codes follows on linear block codes which can be represented as systematic codes. 
This makes the design of an efficient ICC protocol for SKE as simple as the design of efficient coding 
for SKE over a (one-way) DMBC 0. 

Definition 3: A (bipartite) systematic channel code, with encoding alphabets (yf,X b ) and decoding 
alphabets (Xf,y b ), is specified by a pair of encoding/decoding functions (Enc/ Dec), where 

• Enc : y™ f x X b b ' 1 ' — > y^ x X b b deterministicaily maps (y^ 1 \\x b b '') ( as ^ information sequence) 
to the codeword (y^ \\x b b ) such that x r b lb = (x b b, '\\x b b,p ) and n b = n b ,i + n^ p ; we call x b b,p the 
parity-check sequence. 

• Dec : Xj f xy b b — > y™ f xX b nb,i deterministicaily assigns a guess (yl 1 \ \x b b '') to each input (x^ \ \y b b )- 
The general construction of the ICC protocol and a proof of Theorem Q] are provided in Section IIV-AI 

In the following, we describe the ICC protocol for a special case when Vf = Yf, W2,b = 1> Wi : b = X b , 
and Alice is the initiator (see Fig. [2]). Accordingly, we rephrase the argument to be maximized and the 
constraint condition in (fT2l) respectively as 



P n f [I(Y f ; X f ) - I(Y f ; Z f )\ + n b [I(X b ; Y b ) - I(X b ; Z h )} 

risk — ; , (°) 

rif + n b 

n f (H(Y f \X f ) + a)< n b I(X b ;Y b ), (9) 

where a > is an arbitrarily small constant. Let n b = n b ,i + n bjP , where n bi i is chosen to satisfy 

n b ,iH(X b ) = n b I(X b ; Y b ) - n f (H(Y f \X f ) + a). (10) 

Let N = rif + n b and e be a small constant such that 5Ne < Ufa. Let y™ ! e (resp. X b bt ) be the set of all 
e-typical sequences w.r.t. Py f (resp. Px b ) in 3^ (resp. X b h '*); Define 

ri f = log \y^J, rib = log \X^*\, 

V = Vf + Vb, « = NR sk , j = T ]-K. 

Let {Gi)T=i be a partition of y r f l [ x X^ into 2 K parts, each of size V. Define g : y n f [ x X b " e ' -> 
{1, 2, . . . , 2 K } as a function that, for every input (y^ f , x b b ) € Qi, outputs i. 

Encoding. Alice chooses an i.i.d. ?ij-vector X^ f and sends it over the forward DMBC; Bob and Eve 
receive Y* f and ZJ , respectively. If Y, f £ 3^?^, Bob returns a NULL; otherwise, he chooses uniformly 
at random an n^-sequence X b bA from X b b, \ encodes Enc(Y^ f \\X b b,i ) = (Yj s \\X b b ), and sends X b b 
over the backward DMBC; Alice and Eve receive Y b nb and Z b b , respectively. 

Decoding. Alice decodes (Yf = Dec(X n } 1 \\Y b nb ) using bipartite jointly typical decoding: she 

searches through the 2 V words in yj f e x X b b t ' and either finds a unique (Yp , X b b '' ) such that Enc(Y^ f , X b b 
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and {X™ 1 ,Y b nb ) are (n/, e)-bipartite jointly typical w.r.t. (Py ft x f ,Px b ,Yb) (see Section HV-AI Definition 
[7]), or returns a NULL. 

Key derivation. Bob computes S = g(Y^ f ,X^ b ''). Alice computes S = g(Yj n \ X^ b '). 



Alice 

.f < — 



Systematic 1 
Decoder 



Forward 
DMBC 



Z ;.. Eve z «j 



J Y" 1 ' 



Backward 
DMBC 



\ 

Systematic 

j£»b [ Encoder 



Bob 



A? 



Fig. 2. ICC over a 2DMBC: Alice initiates the protocol 

Theorem 1: Taking the variables from Q and ([3]), the ICC protocol can achieve the secret-key rate 



R 



ICC 



(11) 



where 



nICC 
K A 



TflCC 



max 

rif,n b ,Px f ,v f >Px b ' w -z,b< w -L,b 



max 



{ n f Rf 1 + n b Rj 2 g ^ < w } ^ ^ 

rif + rib 

rifR^ + n b Rf 2 



{ 



s.t. n b [I(V b ;Y b \X b )} < n f I(W ljf ;Y f )}. (13) 



Comparing ([5]) with (fT2l) . we conclude that R 1 ^ and L A are equal if for the optimal selection of 
the parameters, in the maximization problem of ([5]), R^ 2 becomes non-negative. In other words, the two 
values (rates) are equal if the backward DMBC has secrecy potential, i.e., the optimal strategy is not based 
on realizing a noiseless channel from the backward DMBC. Similarly, Rg equals L B if the forward 
DMBC has secrecy potential. 

Corollary 1: When the DMBCs have secrecy potential, the ICC protocol can achieve the lower bound 
in ©. 



B. The secret-key capacity in the sd-2DMBC setup 

SKE over physically degraded 2DMBCs (pd-2DMBCs) was considered in (3], where we showed that 
the lower and the upper bounds coincide and the capacity is achieved by a one-round SKE protocol. This 
implies that interaction over a pd-2DMBC cannot increase the SKE rate. However, this is not generally 
true for stochastically degraded broadcast channels, and the upper bound in (O does not necessarily 
coincide with the lower bound in (@]) for stochastically degraded DMBCs. In this paper, we consider SKE 
over a 2DMBC, where each DMBC is stochastically degraded with independent channels. We refer to 
this setup as sd-2DMBC. 

Definition 4: The DMBC X — > (Y, Z), with conditional distribution Pyz\x> i s stochastically degraded 
in favor of Y (or the party who receives Y) if there exist two RVs Y and Z such that X -H> Y Z 
forms a Markov chain and 



Pxv{x,y) = P X y(x,y), 



P X z(x,z) = P x ^(x,z). 
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It consists of independent channels if Pyz\x = Py\x-Pz\x- 

Definition 5: A sd-2DMBC is a 2DMBC whose DMBCs are stochastically degraded (either in favor of 
Y or in favor of Z), and consist of independent channels. 

1 ) Lower bound: 

Proposition 1: The secret-key capacity in the sd-2DMBC setup is lower bounded as 

C:t 2DMBC >^{L' A ,L' B }, (14) 

where 

t> r n f I(Vf,X f \Z f ) + n b [I(X b ; Y b ) - I(X b ; Z b )]+ rm/vlvM^ mrv^n^ 

L' A = max { J -^-^ L -± '- i ^ s. t. n f [I{V f ;Y f \X f )] < n b I(X b ; Y b )}, (15) 

n f ,n b ,P Vf ,x f ,x b rif + rif, 

Li- + s ( < y/)) (16) 

nf,n b , Pv b ,x b ,x f Tlf + Tl b 

The expressions (031 ) and (fT6l ) do not contain the RVs Wi.,6, W2,b, Wij, and W2,/, compared to © and 
©. So, the maximization problem in obtaining the lower bound (TT41 is easier than that in (@]). 

2 J single-letter characterization: We consider a scenario where one of the legitimate parties can only 
send i.i.d. variables, and derive an expression for the secret-key capacity under this condition. 

Theorem 2: When one of the legitimate parties can only send i.i.d. variables, the secret-key capacity 
in the sd-2DMBC setup equals 

m&yL{L' A ,L' B }, (17) 
where L' A and L' B are given in (031) and (fT6l) . respectively. 

IV. Proofs 

A. Proof of Theorem \J\ the ICC protocol 

We describe the ICC protocol when Alice is the initiator and prove that it achieves the rate in (fT2l . 
In a similar way, one can describe ICC when Bob initiates the protocol and prove (fT3l) . First we give 
the following definitions from Q for bipartite typical sequences. A bipartite sequence X N = (U n \\T d ), 
where N = n + d, is the concatenation of two subsequences, U n G U n and T d € T d , with two probability 
distributions, Pw and Pt*, respectively. 

Definition 6: A sequence x N = (u n \\t d ) is an (e,n)-bipartite typical sequence with respect to the 
probability distribution pair (Pu(u), Pr(t)), iff 

l4 v(/) .« l<( , (18) 

where P(x N ) is calculated as 

n d 

P{x N ) = J\p u { Ul ) x X\P T {ti). (19) 

i=l i=l 

Definition 7: A pair of sequences (x ,y ) = ((u n \\t d ), (u' n \\t' d )) is an (e,n) -bipartite jointly typical 
pair of sequences with respect to the probability distribution pair (Pjjjji(u,u'), Pr.T'{t,t')), iff x N 
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and y N are (e, n) -bipartite typical sequences with respect to the marginal probability distribution pairs 
(Pu{u),P T {t)) and (P w (it'), P' T (t')), respectively, and 

i^ w//) .=«±« l<£ , (20) 

where P(x N ,y N ) is calculated as 

n d 
P(X N ,V N ) =Y\Pu,w{Uii<) >< J{PT,T'{tiA)- (2D 

1=1 1=1 

Back to the proof, let the RVs Vj,Xf,Yj,Zf, and W\ : b,W 2: b, X b ,Y b , Z b be the same as defined in 
Theorem Q] such that the Markov chains in © are satisfied. Also let n f and rib be integers that satisfy 
the constraint condition in (fT2l) . For simplicity, we use W±,W 2 , and V to refer to Wi6, W2&, and Vj, 
respectively. Accordingly, we write the argument to be maximized in (fT2l as 

^ = n^ + n^ 
n/ + n b 

where 

i^J^X/J-I^Z,), (23a) 
Rf 2 = I(W l] Y b \W 2 )-I(W 1] Z b \W 2 ), (23b) 
and we rephrase the constraint condition in (fT2l as 

n 6 J(Wi;H) ^^(/(F; ^1X^ + 30!), (24) 

where a > is an small constant to be determined (later) from 8. We shall show that for any given 5 > 0, 
for sufficiently large rif and n& that satisfy (1241 ). the three requirements in (Q]) can be satisfied. 

Let N = rif + n b and e, /3 > be small constants determined from a such that 3iVe < n b f3 = n/a. 
Let rib = n b,i + n b,2> where rib 1 is chosen to satisfy 

n b , 2 I(Wr, Y b ) = n f (I(V; Y f \X f ) + 3a). (25) 

Define 

Vf = nf[I(V;Y f ) + a], rj f>2 = n b , 2 I(W 2 ;Y b ), rjf tl = rj f - r// i2 , (26) 

% = n&,i[J(Wi;l6) -£], Vb,2 = n bjl I(W 2 ;Y b ), Vb,i = Vb ~ Vb,2, (27) 

771 = Vf,i + Vb,i, m = Vf,2 + Vb,2, V = Vf + r lb, (28) 

K = (nf + n b )R sk , 1 = n- k. (29) 

Although the quantities obtained in (|23T)-(|29l are real values, for sufficiently large n b and rif, we can 
approximate them by integers. Since j3 can be made arbitrarily small, we can assume rj b and rjf axe 
non-negative. Furthermore, since 

ri = Vf + Vb= n f [I(V;Y f ,X f ) + a] + n htX [I{W x ,Y h ) - 0\ 

= n f I(V;X f ) + n f I(V-,Y f \X f ) + n f a + n b , 1 I(W 1 ,Y b )-n btl f3 
( = } n f I(V;X f ) + n bj2 I(Wx,Y b ) - 2n f a + n 6 ,i/(Wi, Y 6 ) - n b>1 p 

> n f I(V;X f ) + n b I(Wi,Y b ) -3n f a> R^ + Rfa - 3n f a 

> k — 3nja, 
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for arbitrarily small a, we can assume 7] > k and so 7 is non-negative. Equality (a) above is due to d26l ). 
(|2VT >. and the Markov chain Xf o o V, and equality (b) follows from (|25T ). The following sets and 
functions are used in the design of the ICC protocol. 

(i) V n/ is the set of all possible n /--sequences with elements from V. Create V™' by randomly and 
independently selecting T ]s e-typical sequences (w.r.t. Py) from V nf . 

(ii) Let f : V™ ! — >■ T = {1, 2, . . . , 2 Vf } be an arbitrary bijective mapping; denote its inverse by f -1 . 
(hi) let {Fi}fJ^ be a partition of T, into 2 Vf - 2 equal-sized parts. Label elements of part i as Ti = 

{fijYjtv Define fin* ■ T ^ {1, . . . , W} x {1, . . . , 2^} such that f in0 (/) = (i, j), if / is labeled 

b y /«• 

(iv) W™ M is the set of all possible sequences W™ M . Create W™^ 1 by randomly selecting 2 rib different 
e-typical sequences (w.r.t. Pw t ) from W" M . 

(v) Let b : W™ 1 , f -> B = {1, 2, . . . , 2 7 ?**} be an arbitrary bijective mapping; denote its inverse by b . 

(vi) In analogy to T , let {^j}^ 2 be a partition of ^ where B\ = }| Ji • Define \>i n dx '■ B — » 
{I,..., 2 r ">>* } x {1, . . . , 2^- 1 } such that b indx {b) = (i, j), if b is labeled by b i}j . 

(vii) Let be a partition of J 7 x B into parts of size 2 7 . Define 5 : J 7 x B — > {1, 2, . . . , 2 K } such 
that, for any input in Gi, it outputs i. 

(viii) Define the parity-check book Vi as a the collection of 2* words {w^^ : f 2 = 1, 2, . . . , 2^ 2 , 6 2 = 
1, 2, . . . , 2 r,b ' 2 }, where each codeword ^2/262 * s °^ length and is independently generated 
according to the distribution 

«.(,, 2 

Y[p(W 2 = w 2j2M (i)). 

i=l 

(ix) For each w^j? b2 , Define the parity-check book V\ (w 2 V b2 ) as a the collection of 2 ,?1 words {^1 j 2 & 2 ^ 
: /1 = 1, . . . , 2 ,?/1 , b\ = 1, ... , 2'? 6 ' 1 }, where each codeword fej . bj is of length 72,^2 and is 
independently generated according to the distribution 

nb,2 

Y[p(W! = wi )h)b2jubl {i)\W 2 = w 2j2yb2 {i)). 

i=l 

(x) Let Enc : V n/ x W™ M — > V nj x W™ 6 be a (bipartite) systematic encoding function such that 
Enc(v nf ,w^ b ' 1 ) = (v 7lf ,w 1 l b ), where w' l b = (w™ b ' 1 , w™ b '^ b2 ^ bi ), using the above parity-check 
books when / = f («»/), 6 = KWT' 1 ), (/ 2 , /1) = f in0 (/),' and (b 2 M) = b in0 (6). 

(xi) Let DMC W be the DMC, W\ ->• X 6 , that is specified by Px 6 |wv 

Encoding. Alice selects an i.i.d. nj-sequence Xj and sends it over the forward DMBC. Bob and Eve 
receive Yj' and Z™ f , respectively. Bob finds a V nf G Ve f that is e-jointly typical with Yj ! (w.r.t. 
-fV,y/)> or returns a NULL if he fails. He selects independently a uniformly random W^ b '* G W^*' 1 . 
He computes F = f(V™'). 5 = b(VFf bl ), {F 2 ,F 1 ) = f in0 (F), and (S 2 ,Bi) = b in0 (B), and calculates 
SncfV^Wj*" 1 ) = (V n f,W? b ) using these variables. Next, Bob inputs W™" to DMC W to compute 
and sends X^ b over the backward DMBC. Alice and Eve receive Y b nb and Z£ b , respectively. 

Decoding. Alice searches through V™ 1 x W™^' 1 and either finds a unique (V n f , W™ hA ) that is (e, n/)- 
bipartite jointly typical to (X?',!^ 6 ) w.r.t. (Py.Xj , -P Wli yJ, or returns a NULL. 
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Key Derivation. Bob computes S = g(F, B). Alice computes F = f(V nf ) and B = b(W™ b and then 
S = g(F,B). 

Fig. [3] shows the relationship between the random variables/sequences used in the ICC protocol. Two 
variables/sequences are connected by an edge if (1) they belong to input/outputs of the same DMBC, or 
(2) one is computed from the other by Alice or Bob using a (possibly randomized) function. 

r/-r — F 
J\ 

Bob Fi F 2 



f 






Alice 


Eve 






y"h 








B, B, K>— W*"— 

1 B 



\ I 

B W l * 1 Alice Bob 

(a) Encoding and decoding (b) Key derivation by Alice (c) Key derivation by Bob 

Fig. 3. The relation between the variables/sequences used in the ICC protocol for |(a)| encoding/decoding, |(b)| key derivation by 
Alice, and |(c)| key derivation by Bob 

Uniformity Analysis: Proving (flab 

From AEP for Py (see (3j Appendix A] for more details), and since F and V nf have the same distribution, 

V/ G F, Pr(F = /) < 2^' +57Ve . (30) 
=>- r) f - 5Ne < H(V nf ) = H{F) < rj f , (31) 

Since W™ b A (resp. B) is selected uniformly at random from W™^ 1 (resp. B) of size r\ b 

V6 G B, Pt(B = b) = T~ r]b (32) 
^ H(W? b l ) = H(B)= Vb . (33) 

For every i S {1,2,... , 2 K }, the probability that S = i equals to the probability that (F, B) G Qi. More 
specifically (see ([28]) and (f29l)), 

Vi : Pr(5 = i) = J] Pr(F = / A B = b) < 2^2~ r 'f +5Ne 2^ b = 2 ^2~ ri+5Ne = 2~^ K ~ 5N ^ 
- H(S) >^l = R, t - S , *>5, (34, 



nj +n b nj + n b 
Reliability Analysis: Proving (flbl 

Since there are ?]f = rif[I(V;Yf) + a] sequences in Vf / , from joint-AEP, with probability arbitrarily 
close to 1, there exists a V nf £ Ve 1 that is e-jointly typical with Y^ 1 (w.r.t. Pv,Y s ) and the encoding 
phase is successful. In the decoding phase, Alice needs to search through the 2 V words in V™ f x W™^ 1 , 
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where 77 is calculated as 

V = nf + Vb = n f {I(V-,Y f )+a)+n K1 {I{Wr,Y b )-p) 

{ = } rif(I(V; Y f ) + a) + n b I(W r , Y b ) - n f (I(V f ;Y f \X f ) + 3a) - n M /3 

( = } n f (I(V; X f , Y f ) + a) + n b I{W 1 ;Y b )-n f (I(V f ;Y f \X f ) + 3a) -n b>1 p (35) 

= n f I(V;Xf)+n b I(W 1 ;Y b )-2n f a-n bjl p 

< n / /(F;X / )+n b /(Wi;y 6 )-97Ve. (36) 

Equality (a) follows from (|26l ) and (1271 , equality (b) follows from (|25l ), and equality (c) is due to the 
Markov chain Xf <-> Yy <-> V. Since 77 is sufficiently smaller than rifI(V;Xf) + ^/(Wi; Y&), from 
AEP for bipartite sequences (see (3j Theorem 4]), there exist an encoding function Enc(.) for which the 
decoding error probability becomes arbitrarily close to 0. This implies that 

Pt(S^S) <Pt((F,B) ± {F,B)\ =Pr((V n ?,W? b l ) ^ (V n ' ,W? bA )) < S. 



Secrecy Analysis: Proving ([TcJ 

We shall show that the H{S\Z n f ! , Z" b ) is close to H{S). For the quantities H(F 2 ) and H(B 2 ), we have 
(see [3, Appendix A] for more details) 



Vf,2 - 5iVe < H{F 2 ) < rj fj2 , (37) 
=> H(B 2 ) = m 2 . (38) 



We write H{S\Z n ' ZV; b ) as 



H(S\Z] f ,Z^)>H(S\F 2 , B 2 , Z n /,Z^) 

=H(S, F, B\F 2 , B 2 , Z n /,Z r b l ») - H(F, B\S, F 2 ,B 2 , Z n /,Z^) 
=H(F, B\F 2 , B 2 , Z n /,Zl?») - H(F, B\S, F 2 ,B 2 , Z n /,Z^) 

=H(F, B\F 2 , B 2 ) - I(F, B; Z n / , Z?\F 2 , B 2 ) - H(F, B\S, F 2 , B 2 , Zf \Z?). (39) 

The first term above is written as 
The first term is written as 

H(F, B\F 2 , B 2 ) = H(F\F 2 , B 2 ) + H(B\F, F 2 ,B 2 ) ( = H(F\F 2 ) + H(B\B 2 ) 
( =' H(F) + H(B) - H(F 2 ) - H(B 2 ) 

(c) 

>i]f- 5Ne + Vb~ VF,2 ~ Vb,2 

(d) 

> n f I{V;Y f ) - 2Ne + n bA [I(Wi;Y b ) - p] - n b , 2 I(W 2 ;Y b ) - n bA I{W 2 ;Y b ) 

( = } n f I(V;X f ) + n f I(V;Y f \X f ) - 2Ne + n bjl I(W 1 ;Y b ) -n b I(W 2 ;Y b ) -n bjl p 

= n f I(V;X f ) + n f (I(V;Y f \X f ) + 3a) + n M J(Wi ; y 6 ) - n b I(W 2 ;Y b ) - 3n f a - n b p - 2Ne 

( =£ rifI(V; Xf) + n b)2 I(Wr,Y b ) + n b ^I(Wr,Y b ) — n b I(W 2 ; Y b ) - 3n f a - n b /3 - 2Ne 

> n f I(V;X f ) + n b I(Wr,Y b ) - n b I(W 2 ;Y b ) - UNe 

= n f I{V;X f ) + n b I(Wr,Y b \W 2 ) - 14iVe (40) 
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Equality (a) holds since B2 and B are selected independently of F2 and F, equality (b) holds since F2 
and B2 are deterministic functions of F and B, respectively (the encoding phase), inequality (c) follows 
from 0J}, ([33]), ([37]), and ([381), equality (d) follows from ([26]) and ([27]), equality (e) is due to the Markov 
chain Xf -f* Yf V, equality (f) follows from ([251 ). and equality (g) is due to the Markov chain 
W 2 Hfi« Y b . 

The second term in d39l is written as 

I(F, B; Zf , \F 2 , B 2 )= I(F, B; Zf \F 2 , B 2 ) + I{F, B; Z^\Z n / , F 2 ,B 2 ) 

{ ^I{V n > , B; Z n / \F 2 ,B 2 ) + I(F, B; Z^\Zf , F 2 , B 2 ) 
(6) 

<I(V n f;Zf) + I(F,B;Z^\F 2 ,B 2 ) 

= I(y n f ;Zf) + H{2%> \F 2 , B 2 ) - H(Z£» \F, B) 
(d) 

<n f I(V; Z f ) + n b [H(Z b \W 2 ) - H^WJ] 

<n f I(V;Z f ) + n b I(Wi;Y b \W 2 ) (41) 

Inequality (a) holds because V nf = f _1 (F) (the key derivation phase), equality (b) is due to the Markov 
chains (F 2 ,B 2 ) <+ (V Uf , B) o Zf, B «-» V nf «-> Zf and Zf o F Z r b l \ equality (c) holds since 
F2 and B 2 are deterministic functions of F and B, equality (d) follows from AEP, and equality (e) is due 
to the Markov chain W 2 <-»■ W\ -H- Z b . 

It remains to calculate H(F,B\S, F, B, Zf , Z r h lb ), i.e., the third term in ([39]). From (vii), knowing S = i 
gives the partition Qi that F, B belongs to; further, knowing F 2 = f 2 and B2 = b 2 gives the parity-check 
sequence w 2 V ^ 6 which is used in the encoding phase (see (viii)). Define the codebook 

Cf = : (f(u"'),&) e ft, < b = Snc(f(«^),6), ^2 = / 2 , #2 = 62}. 

Given S = i, Zf, and Z^ b , one can search all the codewords in Cf and return a unique V nf , Wj 7,6 6 Cf 
that is (e, ny) -bipartite jointly typical to (Zf , Z^) w.r.t. (Pv,z f , P\v u z J; otherwise return a NULL. From 
(vii), \Qi\ = 2 7 , and so \Cf\ = 2 7_r?2 , where rj 2 is given in (|28] |. We first calculate 77 which is used in the 
calculation of 7 — 772- 

77 = T] f + r] b 

= n f (I(V- Y f ) + a)+ n btl I(Wr, Y b ) - n b /3 

= n f I(V;X f ) + n f (I(V;Y f \X f ) + 3a) + n M /(Wi;y 6 ) - 2n f a - n b fi 

= n//(V;X/) + n6J(Wi;H)-3n/a. 
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7 ~~ V2 is written as 

y-r)2 = f]~ (nf + n b )R sk - rjf^ - Vb,2 

(b) 

< n f I(V;X f ) + n b I(Wi;Y b ) - 3n f a + n f [I(V;Z f ) - I(V; X f )} 

+n b [I(W 1 ;Z b \W 2 )-I(W 1 -,Y b \W2)]-n b:2 I(W 2 ;Y b )-n btl I(W2-,Y b ) 
= n b I(Wr,Y b ) - 3n f a + n f I(V; Z f ) + n 6 [I(Wi; Z b \W 2 ) - I(Wr, Y h \W 2 )] - n b I{W 2 - Y b ) 
n f I(V; Z f ) + n b I(Wi; Z b \W 2 ) - 3n f a 



(c) 



(d) 

< n f I{V;Z f )+n b I(Wi;Z b )-9Ne. 



Equality (a) follows from (1281 ) and d29| ), inequality (b) follows from the definition of R sk in (1221 . equality 
(c) is due to the Markov chain W 2 o W\ <-> Y b , and inequality (d) is due to the Markov chain W 2 
W± o Z b . Since 7 — 772 is sufficiently smaller than rifI(V; Zf)+n b I(Wi\ Z b ), from joint-AEP for bipartite 
sequences [3. Theorem 4], for an appropriately chosen partition {Gi}i=i, the decoding error probability 
becomes arbitrarily close to 0, i.e., given (S, F 2 , B 2 , Zj f , Z£ b ), 

Pr ((V n ',W? b ) ^ (V nf ,W™ b )) < 2e. 

Letting F = f(V n f) and B,F = Enc{W™ b ), we have 

Pi{(F,B)^(F,B)) <2e. 

Using Fano's inequality O results in 

H(F,B\S,F,B,Zf f ,Z£ b ) < H(F, B\F, B) < h(2e) + 2er), (42) 

where h(e) = — elog(e) — (1 — e)log(l — e) is the binary entropy function. Applying (l40l)- (|42l in (l39l ) 
gives 

H(S\tf}',Z?) > n / [/(V;X / )-/(V;Z / )]+n b [/(^ 1 ;y b |W 2 )-/(^ 1 ;Z fc |^ 2 )] 
-UNe - h(2e) - 2er/ 
= (n/ + n b )R sk - UNe - h{2e) - 2er] 
> H(S) - UNe - h(2e) + 2e V , 



where the last inequality follows from (1341 . This implies that by appropriate selection of e for an arbitrarily 
small 5, we will have 



H{S\Z n /,Z^ b 
H(S) 



>l-5. 



B. Proof of Proposition [7] 

From (l2ab and the independence of the two DMCs in the sd-2DMBC setup (see Definitions [4] and [5]), 
Vf «-»• Yf <-> -H> Zj forms a Markov chain, and so we write (l3ab and (|3cT > as 

R^=I{V f ; X f , Z f ) - I(V f ; Z f ) = I{V } - Xf\Z f ), (43) 
i?f!=/(H; X b , Z b ) - I(V b ; Z b ) = I(V b ; X b \Z b ). (44) 
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From Definition [4] and the second Markov chain in (l2al ). there exist Y b and Z b such that one of the 
Markov chains 

W 2 , b O W 1>b Z b , or (45a) 

W 2 , b O W 1(6 HliO^fj (45b) 

hold, and 

J(X 6 ; y ft ) = I(X b ; Y b ), I(X b ; Z b ) = I(X b ; Z b ) 
I(W 1>b ;Y b \W 2 , b ) = I(Wi, b -,Y b \W 2 ,b), 
I(W 1)b ; Z b \W 2tb ) = I(W 1)b ; Z b \W 2fi ). 

Hence, we write (l3bl as 

Rf 2 = I(Wi, b ; Y b \W 2 , b ) - I(W hb ; Z b \W 2 , b ) 
< I{W l<b ;Y b \Z b ,W 2 , b ) < I(X b ;Y b \Z b ) 

= [I(X b ; Y b ) - I(X b ; Z b )]+ = [7(X 6 ; Y b ) - I(X b ; Z b )} + . (46) 

Inequality (a) follows from (145T ). More precisely, if (I45ab holds the inequality is easily satisfied, and if 
(|45bb holds both sides equal zero. It is easy to see that equality in (|46l ) holds by choosing W 2jb = 1 and 
W\fi to be X b or 1, in the case of (145 al l or (050), respectively. In analogy to the above, we have 

Rf 2 <[I(X f ;Y f )-I(X f ;Z f )] + , (47) 

where equality holds for some W 2 j and W\j. By replacing Rf x , R^ 2 , R^, and Rf 2 in © and © with 
the above-obtained quantities, © is simplified to (fT4l . 



C. Proof of Theorem |2] 

We let Alice be the party who sends i.i.d. variables. The other case follows by symmetry. We use 
Lemma [T] to reduce a multi-round SKE protocol to a two-round one, and then give the highest rate that 
a two-round protocol can achieve. 

Lemma 1: When Alice can only send i.i.d. variables, the secret-key capacity is achieved by a two-round 
SKE protocol whose initiator is Alice. 

Proof: Let II be a t-round SKE protocol that achieves the secret-key capacity under the above 
condition. 

Case 1: Alice sends in odd rounds. In any (odd) round r, Alice's sent sequence XJ is independent of her 
view in round r — 1, and hence she could compute it in the first communication round. Besides, sending 
this sequence in the first round does not affect the distribution of Bob's and Eve's received sequences (Yj r 
and ZJ) since the channels are memoryless. Obviously Bob can compute X b r for any even r as before. 
Hence, we can convert the protocol IT into IT' in which Alice sends the whole || ( 0( ^)r<t 

Xj / ' r:r in the 

first round such that all the communicated sequences and the final key in IT and IT' have the same joint 
probability distribution, i.e., if the same randomness is chosen by Alice, Bob, and the 2DMBC in the 
execution of IT and n', then all the communicated sequences and the final key are identical. Now, Bob 
can send the whole \\( even ) r <t [X^ i "" r ] in the second round without affecting the joint distribution of the 
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sequences. We refer to this last protocol as n" which is a two-round protocol with Alice as the initiator 
such that the communicated sequences and the key have the same joint distribution as in IT. Hence n" 
achieves the secret-key capacity. 

Case 2: Alice sends in even rounds. Using a similar argument to that of Case 1, we reach a three-round 
protocol II" with Bob as the initiator: Bob sends X^ b ' x ' in the first round, Alice sends \ \{ even ) r <t X^ ,,r ' r 
in the second round, and Bob sends \\( dd)3<r<t [X^ b,r ' r ~\ in the third round. Since the communicated 
sequence in the first round is not used to calculate the second round communicated sequences, Bob can 
send X^' 1 ' in the third round without affecting the distribution of the sequences in the protocol IT". This 
gives a two-round communication protocol with Alice as the initiator that achieves the capacity. ■ 
Now, consider a two-round SKE protocol as depicted in Fig. @]in which Alice sends a sequence of i.i.d. 
variables X™' in the first round. Since the channels are memoryless and independent, Bob and Eve receive 
sequences of i.i.d. variables Yj 1 and Z n ^ ! and Yf <H> Xf o Zj is a Markov chain. This can be seen as the 
Discrete Memoryless Multiple Source (DMMS) (Yf,Xj,Zj) between Bob, Alice, and Eve, respectively 
and the DMBC X b ->• (Y b ,Z b ) from Bob to Alice and Bob. When the DMMS and DMBC satisfy the 
degradedness condition Yf o Xf -f-> Zf and X b Y b Z b , Q proves an upper bound on the secret-key 
capacity that coincides with the lower bound in (fT4l ). However, the proof in Q can not be directly applied 
to our problem due to the "stochastic" degradedness of the (backward) DMBC. We give the following 
argument to upper bound the highest achievable rate for an arbitrarily small 5 > as in (Q]). 









Alice 


Eve 






y"i, 







Fig. 4. The relations between variables/sequences in two-round SKE when Alice starts the protocol and Bob calculates the key 

The views of the parties at the end of the second round are View a = (Xj\Y b nb ), Views = 
(7^,1^), and View E = {Z] f , Z r b l »). Using Fano's inequality for ©, we have 

H{S\View A ) < H{S\S) < h{6) + SH{S), (48) 

Furthermore, (fTcl) gives 

1(5; View E ) = H(S) - H{S\View E ) < SH(S). (49) 
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In the following, we omit the length of the sequences, Xf f ,Yf f ,Zj f and X r b l " , Y b n " , Z b b from the 
superscripts, instead use bold to denote them. 77(5) is upper bounded as 

77(5) = 7(5; View A ) + H{S\View A ) 

(a) 

<7(5; View A ) - 7(5; View E ) + h{5) + 25H(S) 
< 7(5; View A \View E ) + h(5) + 25H(S) 
=> (1 - 2S)H(S) - h(5)< 7(5; View A ) - 7(5; View E ) 

= 7(5; Y b ) + I(S;X f \Y b ) - 7(5; Z f , Z b ) 

= 7(5; Y 6 ) + 7(5; X f ,Z f \Y b ) - I(S;Z f , Z b ) 

= 7(5; Y 6 ) + 7(5; Z f \Y b ) + 7(5; X f \Z f , Y b ) - 7(5; Z/, Z b ) 

= [7(5;Z / ,Y 6 )-7(5;Z / ,Z 6 )] + [7(5;X / |Z / ,Y 6 )], (50) 

where inequality (a) follows from (|48T ) and d49b . We separately discuss the two terms in (l50l . Note that 
(5, Zf) <-> Xfo <H> (Yb, Z;,) is a Markov chain. If the backward DMBC is stochastically degraded in favor 
of Z b , the first term is at most zero; otherwise, letting X b -H- Y b o Z b (see Definition UJ), we have 

7(5;Zf,Y 6 ) -I(S;Z f) Z b )=I(S;Z f ,Y b ) -7(5; Z f ,Z b ) 

= 7(5; Z f , Y b , Z b ) - 7(5; Z f , Z b )I(S; Y b \Z f , Z b ) 
< I(S, Z f ;Y b \Z b ) = 7(5, Z /; Y 6 ) - 7(5, Z /; Z b ) 

= 7(5, Z /; Y 6 ) - 7(5, Z /; Z 6 ) < n b [I{W b ; Y b ) - I(W b ; Z b )\ 

(b) 

<n b [I(X b ;Y b )-I(X b ;Z b )} + . (51) 

Inequality (a) follows from the results of message transmission over single DMBCs (e.g., [|4l Section 
V]), where the conditional distribution Py b ,z b \x b corresponds to the backward DMBC and W b is an RV 
that satisfies the Markov chain W b -B- X b O (Y b ,Z b ). Inequality (b) is due to the degradedness of the 
backward DMBC. Letting 7 be an independent random variable uniformly distributed over {1,2,. ..,nj}, 
we write the second term in (l50l as 

7(5;X / |Z / ,Y 6 )<7(5,Y 6 ;X / |Z / ) 

( = } 7(5,Y 6 ;Xf)-7(5,Y 6 ;Zf) 

n f 

( =X 7(5, Y b ; .V^Z;:,.,.^ ') - 7(5, Y b ; Z u \Z^ i+1 , Z)~ l ) 

i=l 
rif 

i=l 

= n f I(S,Y b ',X f ,j\Z f ,j, Z]; j+1 ,X J f ~\ J) 

<n } I(S,Y b ,Z n /' J+v X J f -\j-X f) j\Z f) j). (52) 

Equality (a) is due to the Makov chain Zj- « Xj o (5, Y&), equality (b) follows from the chain rule for 
difference between mutual information (see e.g., [HI Section V]), and equality (c) is due to the Markov 
chain Z f4 o X fji (S,Y b ). 
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Now, letting V f = (S,Y b , Z^ J+1 , Xj' 1 , J), X f = X fiJ , Y f = Y ft j and Z f = Z f ,j, the conditional 
distribution Py s .z s \x s corresponds to the forward DMBC, the Markov chain Zf «-» Xf o Yf o Vf is 
satisfied, and we have 

I(S;X f \Zf,Y b ) < n f I(V f -Xf\Zf). (53) 
Using the quantities of (IBTI ) and (l53l in the calculation of (l50l) . -HX^) is upper bounded as 

H{S) ~ (1=2*) 

=n f I(Vf,Xf\Zf) + n b [I(X b] Y b ) - I(X b ;Z b )] + , (54) 

where the last equality holds since 5 is arbitrarily small. This together with (ITab proves the argument in 
(IT5b . and the condition in (031 ) is proven as follows. 

n 6 /(X b ;Y b )> I(X 6 ;Y 6 ) > Z(Y /; Y 6 ) 

= 7(Y 6) S; Y f ) - I(S;Y f \Y b ) > I(Y b , S;Y f ) - H(S\Y b ) 
= I(Y b ,S;Y f ) - H(S\Y b ,X f ) - I(S;X f \Y b ) 

>/(Y 6) S; Y f ) - h(5) - 5H(S) - I(S;X f \Y b ) 

>I(Y b ,S;Y f )-I(Y b ,S;X f ) 

n f 

( =X /(y,, s, x f '.>;;;:.,:>>,; - /(y 6 , s, xy\ Y ;; +l -x Li ) 
i=i 

"V 



(e) 
i=l 



Y,lV b ,S,Xy\Yll +1 -Yf, i \XfJ 



(/) 7 

^/(Y^^^^Y^X,,,) 



n fi(Yb, s, xj '.z;:;,. .V;./. j) = n/J(y /; y,!*,) - n//(J; Y/|X/) 

n/I^/jY/lX/). (55) 



7 ,z 7 

Inequality (a) is due to the Markov chain Yf O O Y;,; inequality (b) follows from (1481 ); inequality 
(c) holds since 5 is arbitrarily small and so h(5) + 5H(S) is negligible compared to the other quantities; 
equality (d) follows from the chain rule for difference between mutual information; equality (e) is due 
to the Markov chain Xfj O 1/^ «4 (Y&, 5, Xp 1 , Y^ +1 ); inequahty (f) is due to the Markov chain 
■^/i+i ^ ^/Y+i ^7,i> equality (g) holds since Yf t j is (i.i.d.) independent of J. 

One can prove (fT6l ) by symmetry. This implies that, under the condition of this theorem, equality in 
CE!) holds. 

V. Conclusion 

We extended the results of SKE in the 2DMBC setup in the following two cases. When both DMBCs 
have secrecy potential, we proposed the interactive channel coding (ICC) protocol and proved that it 
achieves the lower bound. When both DMBCs are stochastically degraded with independent channels 
(so called sd-2DMBC), we provided a simplified expression for the lower bound, and proved that this 
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lower bound is tight under the condition that one of the parties sends only i.i.d variables. Obtaining a 
single-letter characterization or even a tighter upper bound for the secret-key capacity in the sd-2DMBC 
setup remains as future work. 
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